reverting recent SSL-related patches

Michael Vogt michael.vogt at
Tue Jan 13 07:48:43 GMT 2015

On Sun, Jan 11, 2015 at 12:08:52AM +0100, Nicolas Sebrecht wrote:
> Merge branch 'ns/fix-fingerprint' into next
> The cause is that they introduced a regression: the fingerprint option alone is
> not working anymore. Such configuration fails on a bad certificate (the one
> provided by the default locations).

First of all, thanks for your work on the offlineimap!

I feel strongly that the user should not have to configure a default
ca-certificates anywhere in its configuration file. I don't have to do
this with e.g. wget or curl or ldap, there is a default
(distro/os specific) thats used unless the user overrides this.

I'm probably missing something here but it seems that for those users
who have the fingerprint configured in the repo you simply unset
self.ca_certs in WrappedIMAP4_SSL for this imap repository and reply
entirely on the fingerprint. Something like (untested):

--- a/offlineimap/
+++ b/offlineimap/
@@ -145,6 +145,9 @@ class WrappedIMAP4_SSL(UsefulIMAPMixIn,
         if 'fingerprint' in kwargs:
             del kwargs['fingerprint']
         super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
+        # fingerprint overrides the certs
+        if 'fingerprint' in kwargs:
+            self.ca_certs = None
     def open(self, host=None, port=None):
         if not self.ca_certs and not self._fingerprint:

I imagine that people who use this option do not trust the cert chain
and use the fingerprint as a sort of cert-pinning so this should do
exactly what they want.


More information about the OfflineIMAP-project mailing list